debops.netbase: manage local host and network database in
/etc/hosts and /etc/networks files.

debops.sudo: install and manage sudo configuration on
a host. The role is included in the common.yml playbook.

debops.system_groups: configure UNIX system groups used on DebOps
hosts. The role is included in the common.yml playbook.

debops.debops_legacy: clean up legacy files, directories, APT
packages or dpkg-divert diversions created by DebOps but no
longer used. This role needs to be executed manually, it's not included in
the main playbook.

debops.python: manage Python environment, with support for multiple
Python versions used at the same time. The role is included in the
common.yml playbook.

[debops.users] Selected UNIX accounts can now be configured to linger when
not logged in via the item.linger parameter. This allows these accounts
to maintain long-running services when not logged in via their own private
systemd instances.

[debops.sudo] You can now manage configuration files located in the
/etc/sudoers.d/ directory using sudo__*_sudoers
inventory variables, with multiple level of conditional options.

[debops.ntp] The OpenNTPD service will now properly integrate the
ifupdown hook script with systemd. During boot, NTP
daemon will be started once network interfaces are configured and will not
restart multiple times on each network interface change.

[debops.resources] The role can now generate custom files using templates,
based on a directory structure. See resources__templates for more
details.

[debops.nginx] A default set of SSL ciphers can be specified using the
nginx_default_ssl_ciphers variable. This disables the
ssl_ciphers option in the nginx configuration and forces the
server to use the defaults provided by the OS.

[debops.dhparam] The role will set up a systemd timer to
regenerate Diffie-Hellman parameters periodically if it's available. The
timer will use random delay time, up to 12h, to help with mass DHparam
generation in multiple LXC containers/VMs.

The DebOps installation now depends on the dnspython Python library. This
allows usage of the dig Ansible lookup plugin in DebOps roles to gather
data via DNS SRV records.

The DebOps installation now depends on the future Python library which
provides compatibility between Python 2.7 and Python 3.x environments. It is
currently used in the custom Ansible filter plugin provided by DebOps, but
its use will be extended to other scripts in the future to make the code more
readable.

The editor alternative symlink configuration has been moved from
the debops.console role to the debops.apt_install role which also
installs vim by default.

The configuration of automatic removal of APT packages installed via
Recommends: or Suggests: dependencies has been moved from the
debops.apt role to the debops.apt_mark role which more closely
reflects its intended purpose. Variable names and their default values
changed; see the Upgrade notes for more details.

[debops.owncloud] Support Nextcloud 13 and partially ownCloud 10. Nextcloud
11 and ownCloud 9.1 are EOL, you should update. The role can help you with
the update to ensure that everything works smoothly with the new versions.
Currently, the role can not do the update for you.

[debops.sshd] The role will now check the debops.system_groups Ansible
local facts to define what UNIX groups are allowed to connect to the host via
the SSH service.

[debops.nodejs] The NPM version installed by the role from GitHub is changed
from v5.4.2 to latest which seems to be an equivalent of a stable
branch.

Some of the existing DebOps Policies and Guidelines have been reorganized and
the concept of DebOps Enhancement Proposals (DEPs) is introduced, inspired by
the Python Enhancement Proposals.

[debops.ifupdown] The debops.kmod role is added as a dependency. The
debops.ifupdown role will generate modprobe configuration
based on the type of configured network interfaces (bridges, VLANs, bonding)
and the kernel modules will be automatically loaded if missing.

[debops.nodejs] Recent versions of NPM require NodeJS 6.0.0+ and don't
work with other releases. Because of that the newest NPM release is not
installable on hosts that use NodeJS packages from older OS releases.

The 'debops.nodejs' role will install NPM v5.10.0 version in this case to
allow NPM to work correctly - on Debian Jessie, Stretch and Ubuntu Xenial.
Otherwise, a NPM from the latest branch will be installed, as before.

[debops.nodejs] Instead of NodeJS 6.x release, the role will now install
NodeJS 8.x release upstream APT packages by default. This is due to the
NodeJS 6.x release switching to a Maintenance LTS mode. NodeJS 8.x will
be supported as a LTS release until April 2019.

[debops.nodejs] The role will install upstream NodeSource APT packages by
default. This is due to no security support in Debian Stable, therefore
an upstream packages should be considered more secure. The upstream NodeJS
packages include a compatible NPM release, therefore it won't be separately
installed from GitHub.

The existing installations shouldn't be affected, since the role will select
OS/upstream package versions based on existing Ansible local facts.

[debops.gitlab] Redesign the GitLab version management to read the versions
of various components from the GitLab repository files instead of managing
them manually in a YAML dictionary. The new gitlab__release
variable is used to specify desired GitLab version to install/manage.

[debops.gitlab] The gitaly service will be installed using the
git UNIX account instead of root. Existing installations might
require additional manual cleanup; see the Upgrade notes for details.

[debops.gitlab] The role now supports installation of GitLab 10.7.

[debops.gitlab] The usage of gitlab__fqdn variable is revamped
a bit - it's now used as the main variable that defines the GitLab
installation FQDN. You might need to update the Ansible inventory if you
changed the value of the gitlab_domain variable used previously for this
purpose.

[debops.lxc] Add lxc-prepare-ssh script on the LXC hosts that can
be used to install OpenSSH and add the user's SSH authorized keys inside of
the LXC containers. This is a new way to prepare the LXC containers for
Ansible/DebOps management that doesn't require custom LXC template scripts
and can be used with different LXC container types.

[debops.core] The role will add any new administrator accounts to the list of
existing admin accounts instead of replacing them in the Ansible local fact
script. This should allow for multiple administrators to easily coexist and
run the DebOps playbooks/roles from their own accounts without issues.

[debops.mariadb_server] [debops.mariadb] The MariaDB/MySQL server and client
will now use the utf8mb4 encoding by default instead of the utf8
which is an internal MySQL character encoding. This might impact existing
databases, see the Upgrade notes for details.

[debops.unattended_upgrades] On hosts without a domain set, the role enabled
all upgrades, not just security updates. This will not happen anymore, the
security updates are enabled everywhere by default, you need to enable all
upgrades specifically via the unattended_upgrades__release
variable.

The debops script can now parse multiple playbook names specified
in any order instead of just looking at the first argument passed to it.

[debops.apt_install], [debops.auth]: don't install the sudo package by
default, this is now done via a separate debops.sudo role to easily
support switching to the sudo-ldap APT package.

[debops.console] Remove support for copying custom files from the role. This
functionality is covered better by the debops.resources role.

[debops.console] Remove support for managing entries in the
/etc/hosts database. This is now covered by the debops.netbase
Ansible role.

[debops.auth] Remove configuration of UNIX system groups and accounts in the
admins UNIX group. This is now done by the debops.system_groups
Ansible role.

[debops.bootstrap] The sudo configuration has been removed from
the debops.bootstrap role. The bootstrap.yml playbook now includes
the debops.sudo role which configures sudo service.

[debops.bootstrap] The UNIX system group management has been removed from the
role, the bootstrap.yml playbook now uses the debops.system_groups
role to create the UNIX groups used by DebOps during bootstrapping.

[debops.bootstrap] Remove management of Python packages from the role. The
bootstrap.yml playbook uses the debops.python role to configure
Python support on the host.

[debops.lxc] Remove support for direct LXC container management from the
role. This functionality is better suited for other tools like
lxc-* set of commands, or the Ansible lxc_container module
which should be used in custom playbooks. The 'debops.lxc' role focus should
be configuration of LXC support on a host.

[debops.lxc] Remove custom LXC template support. The LXC containers can be
created by the normal templates provided by the lxc package, and then
configured using DebOps roles as usual.

[debops.postgresql_server] The tasks that modified the default template1
database and its schema have been removed to make the PostgreSQL installation
more compatible with applications packaged in Debian that rely on the
PostgreSQL service. See the relevant commit for more details. Existing
installations shouldn't be affected.

The debops-contrib.etckeeper role has been integrated into DebOps as
debops.etckeeper. The new role is included in the common.yml
playbook.

[debops.ifupdown] The role has new tasks that manage custom hooks in other
services. First hook is The filter-dhcp-options hook
which can be used to selectively apply DHCP options per network interface.

[debops.lxc] The role will now generate the lxc-debops LXC template
script from different templates, based on an OS release. This change should
help fix the issues with LXC container creation on Debian Stretch.

The test suite used on Travis-CI now checks the syntax of the YAML files, as
well as Python and shell scripts included in the repository. The syntax is
checked using the yamllint, pycodestyle and
shellcheck scripts, respectively. Tests can also be invoked
separately via the make command.

[debops.etherpad] The role can now autodetect and use a PostgreSQL database
as a backend database for Etherpad.

[debops.pki] The X.509 certificate included in the default domain PKI
realm will now have a SubjectAltName wildcard entry for the host's FQDN. This
should allow for easy usage of services related to a particular host in the
cluster over encrypted connections, for example host monitoring, service
discovery, etc. which can be now published in the DNS zone at
*.host.example.org resource records.

[debops.pki] The role now supports Let's Encrypt ACMEv2 API via the
acme-tiny Python script. The existing PKI realms will need to be
re-created or updated for the new API to work, new PKI realms should work out
of the box. Check the Upgrade notes for more details.

[debops.proc_hidepid], [debops.lxc] The roles now use a static GID 70 for
the procadmins group to synchronize the access permissions on a host and
inside the LXC containers. You will need to remount the filesystems, restart
services and LXC containers that rely on this functionality.

[debops.sysctl] The configuration of the kernel parameters has been
redesigned, instead of being based on YAML dictionaries, is now based on YAML
lists of dictionaries and can be easily changed via Ansible inventory. You
will need to update your inventory for the new changes to take effect, refer
to the role documentation for details.

[debops.ferm] The role should now correctly detect what Internet Protocols
are available on a host (IPv4, IPv6) and configure firewall only for the
protocols that are present.

The debops command will now generate the ansible.cfg
configuration file with correct path to the Ansible roles provided with the
DebOps Python package.

[debops.nginx] Fix a long standing bug in the role with Ansible failing
during welcome page template generation with Jinja2 >= 2.9.4. It was related
to non-backwards compatible change in Jinja that modified how variables
are processed in a loop.

The debops-contrib.kernel_module Ansible role has been removed; it was
replaced by the new debops.kmod Ansible role.

[debops.ferm] The ferm-forward hook script in the
/etc/network/if-pre-up.d/ directory has been removed (existing
instances will be cleaned up). Recent changes in the debops.ferm role
broke idempotency with the debops.ifupdown role, and it was determined
that the functionality provided by the hook is no longer needed, recent OS
releases should deal with it adequately.

New Ansible roles have been imported from the debops-contrib
organization: apparmor, bitcoind, btrfs, dropbear_initramfs,
etckeeper, firejail, foodsoft, fuse, homeassistant,
kernel_module, kodi, neurodebian, snapshot_snapper, tor,
volkszaehler, x2go_server. They are not yet included in the main
playbook and still need to be renamed to fit with the rest of the
debops.* roles.

New DebOps roles:

debops.sysfs: configuration of the Linux kernel attributes through
the /sys filesystem. The role is not enabled by default.

debops.locales: configure localization and internationalization on
a given host or set of hosts.

debops.machine: manage the /etc/machine-info file,
the /etc/issue file and a dynamic MOTD.

You can now use Vagrant to create an Ansible
Controller based on Debian Stretch and use it to manage itself or other hosts
over the network.

You can now build an Ansible Controller with DebOps support as a Docker
container. Official Docker image is also
available, automatically rebuilt on every commit.

You can now install DebOps on Arch Linux
using an included PKGBUILD file.

Add new playbook, agent.yml. This playbook is executed at the end of the
main playbook, and contains applications or services which act as "agents" of
other services. They may contact their parent applications to report about
the state of the host they are executed on, therefore the agents are
installed and configured at the end of the main playbook.

[debops.libvirtd] The role can now detect if nested KVM is enabled in
a particular virtual machine and install KVM support.

[debops.nodejs] The debops.nodejs role can now install Yarn package manager using its upstream APT repository
(not enabled by default).

DebOps roles and playbooks can now be tested using local or remote
GitLab CI instance, with Vagrant, KVM and LXC
technologies and some custom scripts.

DebOps roles and playbooks will be included in the Python packages released
on PyPI. This will allow for easier installation of DebOps via pip
(no need to download the roles and playbooks separately) as well as simple
stable releases. The DebOps monorepo can still be installed separately.

[debops-tools] The debops-update script will now install or
update the DebOps monorepo instead of separate debops-playbooks and
DebOps roles git repositories. Existing installations shouldn't be affected.

[debops-tools] The debops script will now include the DebOps
monorepo roles and playbooks in the generated ansible.cfg
configuration. The monorepo roles and playbooks are preferred over the old
debops-playbooks ones.

The script is backwards compatible and should work correctly with or without
the debops-playbooks repository and roles installed.

The project repository is tested using pycodestyle for compliance
with Python's PEP8 Style Guide.

[debops.nodejs] The npm package has been removed from Debian Stable.
The role will now install NPM using the GitHub source, unless upstream NodeJS is
enabled, which includes its own NPM version.

[debops.gunicorn] Update the role to work correctly on Debian Stretch and
newer releases. The support for multiple gunicorn instances using
custom Debian scripts has been removed in Debian Stretch, therefore the role
replaces it with its own setup based on systemd instances.

[debops.gitlab_runner] The GitLab Runner playbook is moved to the
agent.yml playbook; it will be executed at the end of the main playbook
and should that way include correct information about installed services.

Improved Python 3 support in the DebOps scripts and throughout the
playbooks/roles. DebOps should now be compatible with both Python versions.

[DebOps playbooks] Remove the ipaddr.py Ansible filter plugin, it is
now included in the Ansible core distribution.

[debops.console] Remove the locales configuration from the
'debops.console' role, this functionality has been moved to the new
'debops.locales' role. You will need to update the Ansible inventory
variables to reflect the changes.

[debops.console] Remove management of the /etc/issue and
/etc/motd files from the debops.console role. That functionality
is now available in the debops.machine role. You will need to update
the Ansible inventory variables to reflect the changes.

[debops.console] Management of the /prochidepid= option has been
moved to a new role, debops.proc_hidepid. You will need to update the
Ansible inventory variables to reflect the changes.

[debops.console] Management of the System News using the sysnews Debian
package has been removed from the role; it's now available as a separate
debops.sysnews Ansible role. You will need to update the Ansible
inventory variables related to System News due to this changes.

Various repositories that comprise the DebOps project have been merged into
a single monorepo which will be used as the main development repository.
Check the git log for information about older releases of DebOps
roles and/or playbooks.